Starburst MySQL connector#

The Starburst MySQL connector is an extended version of the MySQL connector with configuration and usage identical.

Requirements#

SQL support#

The connector supports all of the SQL statements listed in the MySQL connector documentation.

The following improvements are included:

Performance#

The connector includes a number of performance improvements, detailed in the following sections.

Table statistics#

This feature is available for free, and does not require a valid license.

The MySQL connector supports table and column statistics to improve query processing performance based on the actual data in the data source.

The statistics are collected by MySQL and retrieved by the connector.

The table-level statistics are based on MySQL’s INFORMATION_SCHEMA.TABLES table. The column-level statistics are based on MySQL’s index statistics INFORMATION_SCHEMA.STATISTICS table. The connector can return column-level statistics only when the column is the first column in some index.

MySQL database can automatically update its table and index statistics. In some cases, you may want to force statistics update (e.g. after creating new index or after changing data in the table). You can do that by executing the following statement in MySQL Database.

ANALYZE TABLE table_name;

Note

MySQL and SEP may use statistics information in different ways. For this reason, the accuracy of table and column statistics returned by the MySQL connector might be lower than than that of others connectors.

Improving statistics accuracy

You can improve statistics accuracy with histogram statistics (available since MySQL 8.0). To create histogram statistics execute the following statement in MySQL Database.

ANALYZE TABLE table_name UPDATE HISTOGRAM ON column_name1, column_name2, ...;

Refer to MySQL documentation for information about options, limitations and additional considerations.

Pushdown#

The connector supports pushdown for a number of operations:

Dynamic filtering#

Dynamic filtering is enabled by default. It causes the connector to wait for dynamic filtering to complete before starting a JDBC query.

You can disable dynamic filtering by setting the property dynamic-filtering.enabled in your catalog properties file to false.

Starburst Cached Views#

The connector supports table scan redirection which improves performance and reduces load on the data source.

Security#

The connector includes a number of additional security features, detailed in the following sections.

AWS IAM authentication#

When the MySQL database is deployed as an AWS RDS instance, the connector can use IAM authentication. This enhancement allows you to manage access control from SEP with IAM policies.

Configuration#

To enable IAM authentication, add the following configuration properties to the catalog configuration file:

mysql.authentication.type=AWS
connection-user=<RDS username>
aws.region-name=<AWS region>
aws.token-expiration-timeout=10m

You can also configure the connector to assume a specific IAM role for authentication before creating the access token, in order to apply policies specific to SEP. Alongside this role, you must include an (informal) external identifier of a user to assume this role.

To apply an IAM role to the connector, add the following configuration properties:

aws.iam-role=<role_arn>
aws.external-id=<external_id>

This table describes the configuration properties for IAM authentication:

IAM configuration properties#

Property name

Description

connection-user

The database account used to access the RDS database instance.

aws.region-name

The name of the AWS region in which the RDS instance is deployed.

aws.iam-role

(Optional) Set an IAM role to assume for authentication before creating the access token. If set, aws.external-id must be configured as well.

aws.external-id

(Optional) The informal identifier of the user who assumes the IAM role set in aws.iam-role.

aws.token-expiration-timeout

The amount of time to keep the generated RDS access tokens for each user before they are regenerated. The maximum value is 15 minutes. Defaults to 10m.

aws.access-key

The access key of the principal to authenticate with for the token generator service. Used for fixed authentication, setting this property disables automatic authentication.

aws.secret-key

The secret key of the principal to authenticate with for the token generator service. Used for fixed authentication, setting this property disables automatic authentication.

aws.session-token

(Optional) A session token for temporary credentials, such as credentials obtained from SSO. Used for fixed authentication, setting this property disables automatic authentication.

Authentication#

By default the connector attempts to automatically obtain its authentication credentials from the environment. The default credential provider chain attempts to obtain credentials from the following sources, in order:

  1. Environment variables: AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, or AWS_ACCESS_KEY and AWS_SECRET_KEY.

  2. Java system properties: aws.accessKeyId and aws.secretKey.

  3. Web identity token: credentials from the environment or container.

  4. Credential profiles file: a profiles file at the default location (~/.aws/credentials) shared by all AWS SDKs and the AWS CLI.

  5. EC2 service credentials: credentials delivered through the Amazon EC2 container service, assuming the security manager has permission to access the value of the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable.

  6. Instance profile credentials: credentials delievered through the Amazon EC2 metadata service.

If the SEP cluster is running on an EC2 instance, these credentials most likely come from the metadata service.

Alternatively, you can set fixed credentials for authentication. This option disables the container’s automatic attempt to locate credentials. To use fixed credentials for authentication, set the following configuration properties:

aws.access-key=<access_key>
aws.secret-key=<secret_key>

# (Optional) You can use temporary credentials. For example, you can use temporary credentials from SSO
aws.session-token=<session_token>